With more than 30 per cent of the global cloud market and a variety of customisable features, Amazon Web Services (AWS) has become the preferred provider of cloud services for many organisations. While AWS manages cloud security, the responsibility for cloud security lies with the customer.
Security teams need to understand their part of the shared responsibility model, where customers retain control over what security they implement to protect their own content, platform, applications, systems, and networks - just as they do with their own data centre. Depending on experience with cloud services and the stage of using the public cloud, there are certain points to focus on.
Here are the top ten errors - and what you can do about them...
Error #1: Use of the root account for everyday activities
The root account (root user or superuser) has full control over the account, including the ability to delete the account and all content. This level of access is required for certain tasks and should only be used in the appropriate cases. Everyday tasks should be delegated to user accounts with limited powers. This avoids:
- Excessive use of the root account, which can lead to unintentional, far-reaching changes in permissions, policies, settings, and the like. Most users, especially in larger companies, can easily do their work with more limited powers.
- The compromise of a root account that allows an attacker to do everything with the data, including deletion. In larger companies, the sheer number of users increases the risk of compromise.
AWS gives the flexibility to partition and set role permissions. Third-party solutions can also track root user activity and alert security officials to bad practices, such as using a root user regularly in an AWS account.
Error #2: No partitioning of user and role permissions
An AWS best practice for permissions is to grant the user only the level of permissions required to perform their work effectively. This type of restricted role-based access may require some fine-tuning to find exactly the right balance, but it effectively limits the exposure to your data. If a particular user occasionally needs more access than you have granted them for daily use (for example, to create Amazon EC2 instances), grant them additional privileges for the duration of a particular task, and then reset them back to the default.
Error #3: Unlimited access to Amazon S3 buckets
An Amazon S3 bucket is a public cloud storage service that often stores sensitive data such as customer or payment information. Unfortunately, AWS users often forget to make restrictions so that access to these containers is possible for anyone who can guess (or unlock) the appropriate name. Without adequate access policies, data in Amazon S3 is vulnerable. Here, too, there are third-party solutions that detect open buckets and suggest concrete steps to remedy them.
Error #4: Do not use multi-factor authentication
Many data breaches are the result of passwords that do not provide sufficient protection, for example because they are weak or compromised by the house. Nowadays, a single authentication at logon is no longer sufficient to keep your data secure.
Accordingly, multi-factor authentication (MFA) has become a must. By requiring users to sign in with their account password and then go through a second step, you can reduce the risk to your business. Some common examples of MFA are:
- OTP (one-time passwords): Here, one-time passwords are sent to the user by phone or email to verify their identity before they complete their registration.
- USB hardware tokens: With this authentication, the user needs a USB stick that generates an OTP before gaining access.
AWS users who are looking for a way to use MFA without adding another entry to their security budget, can use free tools like Google Authenticator. Monitor that best practices such as MFA are followed and perform a continuous security assessment of the environment to quickly identify and resolve risks. These additional steps are relatively fast and painless, and they make a significant contribution to securing your data.
Error #5: No encryption of stored data
AWS has a key management service that allows encryption keys to be managed. This should be used to encrypt stored data. Unfortunately, many users are unaware of this feature. One of the best encryption practices is to set an encryption key and who can use it, and then lock the key. While encryption does not prevent data breaches, it ensures that your data remains private in the event of data loss.
Error #6: No use of network ACLs
Port scans are a very popular attack vector to find the weakest link through which a network can be infiltrated. Without the right protections implemented, a lot of unnecessary, unwanted, and potentially unsafe traffic will hit your security groups all the time. These groups often act as an instance-level firewall, but the more traffic they encounter, the more difficult it is to effectively monitor potential threats. Using the standard network ACLs allows a lot of traffic and generates a greater number of alerts downstream, increasing the signal-to-noise ratio. If on the other hand, specific network ACLs are used to limit traffic and reduce noise accordingly.
Error #7: No use of monitoring and logging services
AWS provides a number of ways to help users manage, understand, and fine-tune cloud services for greater security and overall better operations. In particular, new or non-skilled users should consider using the following services:
- AWS Config helps assess the configuration of your AWS resources to support compliance checks, operational troubleshooting, and security assessments.
- With AWS CloudWatch, you can collect and track metrics, monitor log files, set alarms, automatically respond to changes, and more.
- AWS CloudTrail enables, among other things, risk and operational auditing, logs and monitors account activity, and provides event histories to simplify security analysis.
Error #8: No identification (and prevention) of abnormal behaviour
Whenever a change is made in an AWS environment, you should notice this and then investigate the reasons. Use logs and data to do this. All of the measures described so far are only successful if you apply strict procedures that allow immediate proactive responses. Effective cloud security solutions trigger alarms and protections as soon as abnormal activity is detected. You can quickly identify compromised credentials or potential account takeover situations and other anomalies, for example, by tracking logon attempts or failed logon attempts. If you do not have one system that notifies you of unusual behaviour, you may not notice security issues until very late or not at all.
Error #9: No regular credential change (access keys)
Compromised credentials give a potential intruder access to cloud resources. If you change credentials regularly, limit the time period for individual permissions, and thus the impact on your data and business should they fall into the wrong hands. To do this, set up a schedule and process for credential rotation to minimize the risks. AWS automatically expires and automatically renews these credentials in some applications, but depending on the location of your applications, you may need to take additional steps to set up a process to rotate credentials.
Error #10: Insufficient understanding of the security implications of the introduction and use of services
Many new users join AWS without understanding the impact or implications of data security. When working with AWS for the first time, you should take time to understand how the different ways of access affect the "real world" and what policies and procedures need to be put in place to reduce risk in the long term. The cloud is at a high rate, so just start and build slowly on the base services. When you quickly set up different services, it is difficult to see what is needed and what is not needed, and to understand which security controls need to be implemented. In the cloud, too, security must always be a top priority.